10
min reading time
The new Common Criteria Scheme, called the European Cybersecurity Certification Scheme (EUCC), is essential for harmonizing high-security cybersecurity certification of ICT products across EU member states. It facilitates mutual recognition of certifications, supports innovation, and ensures compliance with legal requirements. Fully effective from February 2025, the EUCC aims to provide a unified and robust framework for evaluating IT products, boosting consumer trust, and fostering a more secure digital environment.
EU cybersecurity certification scheme is developed by ENISA within the framework defined in the Cybersecurity Act and taking into account existing national schemes and Common Criteria standards. EUCC, the new cybersecurity scheme is a voluntary, Common Criteria-based cybersecurity certification initiative. It aims to harmonize the Common Criteria certification process across EU member states, providing a consistent and reliable standard for IT product security.
ICT suppliers looking to prove the security of their products can apply for the EUCC certification. The certification will be managed by EUCC-accredited Certification Bodies (CBs) and Information Technology Security Evaluation Facilities (ITSEFs), collectively known as Conformity Assessment Bodies (CABs). Below, we discover the key benefits of the EUCC scheme.
The EUCC aims to harmonize the approach to cybersecurity certification across EU member states, reducing fragmentation and ensuring a consistent level of security assurance across the region.
This alignment helps create a unified standard that all products can adhere to, simplifying the certification process for developers and raising trust among users and regulators.
With the growing complexity and interconnectedness of IT systems, there is a need for more robust security measures. The EUCC scheme provides a structured framework for evaluating the security properties of IT products, ensuring they meet stringent security requirements.
This is particularly important in the face of evolving cybersecurity threats. The scheme's rigorous assessment ensures that certified products are securely developed to be protected against a wide range of cyber threats, enhancing overall cybersecurity.
By adopting the EUCC, the EU aims to facilitate mutual recognition of certifications across member states, reducing the need for multiple certifications for products sold in different countries.
This mutual recognition is critical for the smooth functioning of the single market, allowing products to be more easily traded across borders. This approach not only simplifies the process for manufacturers but also fosters greater trust and cooperation among EU member states.
The EUCC provides clear guidelines and requirements for cybersecurity, which can help developers and manufacturers integrate security features early in the product development cycle.
This proactive approach supports innovation by making it easier for companies to design and build secure products from the ground up. By incorporating security considerations early in the development process, companies can avoid costly redesigns and ensure their products meet the highest security standards from the outset.
Adhering to the EUCC certification requirements demonstrates a product’s adherence to cybersecurity, which can be a significant advantage in today's regulatory environment and competitive market.
The EUCC certification increases consumer trust and confidence in the security of IT products. Knowing that a product has been certified under a rigorous, standardized Common Criteria scheme reassures consumers about its security features, enhancing its marketability. Increased consumer trust can lead to higher adoption rates and greater customer loyalty, providing a competitive advantage for certified products.
The EUCC scheme will be fully effective from the end of February 2025. Developers and Sponsors should be aware that the existing Common Criteria (CC) national schemes will accept applications until the end of 2024 or the end of January 2025; however, any ongoing Common Criteria certification projects under the existing national schemes must be finalized by February 2026.
The CC certificates issued during this transition period by the existing national schemes will also remain valid for five years even after the EUCC scheme is in operation from February 27th, 2025. From February 27th, 2025, the current national cybersecurity certification schemes will cease operation.
Although the EUCC transition is very well prepared and the concerned parties are all getting ready for the upcoming new scheme operation, it is still highly recommended to start your new CC certification project with the existing, well-known processes as soon as possible.
The EUCC certification is crucial for ICT products as it provides a recognized mark of assurance that the product meets stringent cybersecurity standards, enhancing its credibility in the market. Moreover, it facilitates the free movement of certified ICT products across EU countries, thereby expanding the potential customer base for the product.
The EUCC scheme is voluntary (just like the Common Criteria was under the national scheme structure). ICT suppliers who wish to showcase proof of assurance can apply for certification. EUCC-accredited Certification Bodies (CBs) are replacing the National Certification Bodies (NCBs). CBs and accredited Testing Laboratories, now called Information Technology Security Evaluation Facilities (ITSEFs) together form the Conformity Assessment Bodies (CABs).
To ensure your ICT product meets stringent cybersecurity standards, it is essential to understand the EUCC certification process. The following guide provides a detailed overview of each step, from initial application to final certification.
The first step in the EUCC certification process is applying to a designated certification body accredited under the EUCC scheme. Identifying the appropriate certification body (CB) for your specific product or service is crucial, so it is recommended to choose an experienced CB that you, or your chosen ITSEF may already have experience with. The certification body will review your application to ensure it meets the necessary criteria, which includes an initial assessment of your product's suitability for certification and alignment with EUCC standards.
Once your application is submitted, you need to provide comprehensive documentation to the chosen testing laboratory (ITSEF). This includes:
The testing laboratory (ITSEF) will use this documentation to thoroughly understand your product and assess its compliance with Common Criteria requirements based on the chosen assurance level (EAL). The provided Developer documents will serve as the basis of each Common Criteria evaluation class (ASE, ADV, AGD, ALC) and also for further tests during the AVA and ATE classes.
Choose a consulting partner and an accredited ITSEF (Information Technology Security Evaluation Facility) to facilitate the certification process. The selected ITSEF must be accredited for EUCC and prepared to work with the latest Common Criteria evaluation methodology, called CC2022, which replaces the earlier CCv3.1 revision 5. It is worth choosing a testing lab that has several years of experience in Common Criteria and is properly prepared for the EUCC processes. Your consulting partner can guide and support you throughout the certification process, helping you navigate the complexities and meet all requirements.
This phase can take several weeks to months, depending on the complexity of the product (TOE - Target of Evaluation), the required Evaluation Assurance Level (EAL) and most importantly the allocated time and resources the Sponsor/Developer is willing to provide. You will work closely with your consultant during this time to plan the evaluation process.
Hiring experts in EUCC certifications can streamline the application process and provide valuable guidance, that will save time and money for your organization. These professionals can help you understand the requirements, prepare documentation, and address any potential issues that may arise during the evaluation process.
Attend training sessions on Common Criteria certification and EUCC to enhance your understanding of the certification process. Conduct a thorough review of all documentation to ensure it meets the requirements and is free of errors or omissions. This step is critical for avoiding delays and ensuring your application and the provided developer documentation are ready for evaluation.
Perform an internal audit to verify that all necessary information is complete and accurate before submission. This step helps identify and address any potential issues before the ITSEF during the assessment flags them. An internal audit can also help you ensure that your product meets all necessary security requirements and is prepared for the evaluation process.
This phase involves thoroughly examining your product’s security features and compliance with Common Criteria requirements. It includes several critical steps, such as a document evaluation, functional and penetration testing, and potentially a site visit.
The chosen testing laboratory (ITSEF) will review your application and supporting documentation to ensure it meets the Common Criteria requirements of the chosen EAL.
It is important to understand that the submitted technical document – the Security Target – is not reviewed for compliance with CC requirements before submission. Consultation and evaluation are strictly separate processes, even if a consultant is involved. There is no prior review, so any errors made by the consultant will only be discovered during the evaluation phase. At this point, a formal notification will be issued.
During the document evaluation, the ITSEF will assess the provided Developer documents of the following evaluation classes:
The Security Target, which is the basic document for ASE class evaluation. This comprehensive document serves as a roadmap for the product's security aspects. It outlines the product's intricacies, intended usage, security objectives, and necessary security measures. Crafting a robust Security Target is essential for demonstrating how the product aligns with the relevant Protection Profile and/or the chosen EAL level.
Complementing the Security Target are design documents that offer detailed insights into the product's architecture, design rationale, and security implementation strategies. These documents during ADV class evaluation give evaluators a deep understanding of the product's inner workings, enabling them to assess its security posture effectively.
User Guides are pivotal in facilitating secure installation, configuration, and product usage. By providing clear and concise instructions, these guides empower end-users to effectively leverage the product's security features. Including comprehensive guidance on security best practices enhances the overall security posture of the product, further supporting its Common Criteria certification process during AGD class evaluation.
Lifecycle documentation refers to a set of documents that are produced during the different phases of a project, product, or service lifecycle. These documents outline the processes, tasks, or events that occur throughout these stages, and generally serve to record, guide, and monitor the progress and quality of the project/product/service. These documents will be evaluated during ALC class.
The ITSEF will conduct thorough testing of your product’s security features. This phase can last several weeks, depending on the product's complexity and the amount of testing required. The tests will verify whether your product's security features function as described in the documentation and meet Common Criteria requirements or not. Testing typically includes:
A site visit may be conducted if the EAL level specifies it. During this visit, the ITSEF will inspect your facilities and operations to ensure they meet the chosen requirements. This allows the ITSEF (and the certification body) to verify the information contained in the developer documents and observe your cybersecurity measures in action.
After all the evaluations and tests have been completed and passed, a final evaluation technical report (ETR) is prepared. This report documents the evaluation results and provides a detailed analysis of your product’s compliance with Common Criteria standards. The ETR includes the results of each evaluation class and is submitted to the CB after completion. The evaluation phase and ITSEF tasks end here, after this, the certification phase begins.
In the final phase, the CB executes a comprehensive review of the evaluation results and involves the issuance of the EUCC certificate if all criteria are met. This phase is crucial as it validates your product's compliance with stringent cybersecurity standards.
The certification body will accept the final ETR, which will be the basis of a decision based on the evaluation results, and other relevant information obtained during the certification process. This phase can take 3-4 months as it thoroughly examines all gathered data. The decision process includes two major steps.
If all requirements are met, the EUCC certificate will be issued. This certification validates that your product meets Common Criteria requirements and demonstrates its robust cybersecurity measures.
The evaluation process, including all testing laboratory tasks, may take 6-8 months to complete, but projects usually take 12-13 months on average before the certificate is issued, according to our experience. This timeline can vary depending on the complexity of the product and the thoroughness of the preparation and evaluation processes.
In conclusion, obtaining the EUCC certification is a rigorous but rewarding process that can significantly enhance the credibility and security of your ICT product in the European market. By understanding the requirements, preparing effectively, and navigating the assessment process, you can demonstrate your commitment to cybersecurity and gain a competitive edge in the industry.
CCLab provides assessment and advisory services for companies pursuing Common Criteria evaluation certifications under the existing national schemes and also under the upcoming EUCC scheme. By utilizing agile methodologies during consultation and pre-evaluation, clients can effectively navigate potential obstacles, avoid unexpected costs, and improve the efficiency of the certification process.
Download EUCC Study 2024 for the most important and up-to-date information about the new European Union Cybersecurity Certification Scheme
Learn everything you need to know for a successful Common Criteria certification project. Save costs and effort with your checklist.
This CCGuide flyer will quickly introduce you to the benefits of CCGuide training course subscription for your team. You can be sure that you will be able to use the knowledge you have acquired here and easily pass the CC requirements.
As cyber threats become more sophisticated, businesses are compelled to implement rigorous protection strategies to stay compliant and secureCertification labs, like CCLab, play a crucial role in supporting businesses with expert testing, assessment and comprehensive compliance services, and specialized training. These labs offer services ranging from security audits to penetration testing, ensuring businesses remain resilient against evolving cyber threats while meeting regulatory standards. This article explores the indispensable role of certification labs, highlighting how they enhance cybersecurity, ensure compliance, and support a safer digital landscape.
9
min reading time
This year, CCLab sponsored the opening reception of the International Common Criteria Conference (ICCC) in Qatar. Like in previous years, CCLab experts were present during the event meeting the most important stakeholders of Common Criteria. The ICCC is a highly prestigious professional event now in its 23rd year. It provides opportunities for networking and various forums to discuss CC policy and development. It is aimed at participants involved in the specification, development, evaluation, certification, and validation of IT security products and systems.
5
min reading time
In an era where digital threats grow in complexity and frequency, cybersecurity is no longer a secondary consideration but an essential part of manufacturing operations. Compliance with security standards offers manufacturers a structured approach to managing the growing risks of digital threats and securely handling sensitive data. Compliance also helps companies meet industry regulations, protect intellectual property, and avoid potentially devastating financial losses.
8
min reading time